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Background of Invention 

[0003] Secure exchange of data between two parties, for exam- 
ple, between two computers, requires encryption. There 
are two general methods of encryption in use today, pri- 



vate key encryption and public key encryption. A public 
key cryptosystem is one in which each party can publish 
their encryption process without compromising the secu- 
rity of the decryption process. The encryption process is 
popularly called a "trap-door" function. The public key 
cryptosystems are typically used for transmitting small 
amounts of data, such as credit card numbers, and they 
are also used to transmit a private key which is then used 
for private key encryption. Public key cryptosystems are 
generally slower than private key cryptosystems. Most of 
known public key cryptosystems have been recently bro- 
ken using high computational power. In private key en- 
cryption, the two parties privately exchange the keys to be 
used for encryption and decryption. A widely used exam- 
ple of a private key cryptosystem is DES, the Data Encryp- 
tion Standard. Such systems can be fast and secure, but 
they suffer the disadvantage that the two parties must ex- 
change their keys privately. This problem is currently ad- 
dressed by using of public key cryptosystems for private 
key distribution/sharing. The most famous key sharing 
method currently used is Diffie-Hellman protocol. How- 
ever, in the situation when the same private key is used 
very frequently, especially in the case of large communi- 



cation networks of trusted participants, the private key is 
vulnerable to attacks. Therefore, there is a necessity of 
the periodic change of the private keys. This later disad- 
vantage amplifies the former disadvantage of the systems 
due to the necessity of synchronizing private keys among 
the participants of the communication network and thus 
may cause serious inconvenience for the participants. 
Most users, therefore, would find it desirable to have a 
cryptosystem which combines advantages of the private 
and public ones: relatively short, easily created keys with 
relatively high speed encryption and decryption processes, 
secure generation and/or distribution of private keys. In 
other words, the desirable solution has to be a synthesis 
of public and private cryptosystems. 

[0004] | t j S among the objects of the invention to provide a cryp- 
tosystem with elements of public and private cryptosys- 
tems. In this cryptosystem both the encryption and de- 
cryption keys are composed out of non-secret outer com- 
ponent and a secret inner components in such a way that 
both components of the keys are relatively short and eas- 
ily generated, and the encryption and decryption pro- 
cesses can be performed extremely rapidly. 

[0005] it is also among the objects hereof to provide a cryptosys- 



tern which has very low memory requirements and which 
depends on a variety of internal parameters that permit 
substantial flexibility in balancing security level, key 
length, encryption and decryption speed, memory re- 
quirements, and bandwidth. It is also among the objects 
of the invention to provide the cryptosystem capability for 
generating encryption/decryption transformations based 
both on the outer components of the keys and on cryp- 
tosystem's internal parameters so that knowledge of the 
outer components of the keys does not provide a slightest 
possibility for reconstruction of the inner components of 

the keys. 
Summary of Invention 

[0006] The symmetric encryption system of the present invention 
has short and easily created encryption/decryption keys 
and wherein the encryption and decryption processes are 
performed extremely rapidly, and has very low computer 
memory requirements. The encryption and decryption 
processes use the operations of addition and dot product 
of vectors in vector spaces over the field of real numbers 
or, more generally, over any ring. The cryptosystem of the 
present invention constructs encryption/decryption keys 
on the fly out of a chosen set of vectors of a given vector 



space or, more generally, of a module over a given ring. 
Total length of the chosen vectors is comparable to or 
much shorter than the key lengths of the most widely 
used prior art cryptosystems. The present invention, while 
requiring extremely little computer memory (about 128 
bits for the inner component of the encryption/decryption 
key), features an extremely high security level (at least 2 
178 ), with encryption and decryption processes ranging 
from approximately two to three orders of magnitude 
faster than the prior art. Each encryption/decryption key 
of the cryptosystem hereof consists of an outer compo- 
nent and an inner component. The role of the outer com- 
ponent is played by a set of discrete data that, typically, is 
a finite sequence of positive integers. The role of the inner 
component (which also further referred to as "internal pa- 
rameters") is played by continuous data. In one embodi- 
ment the internal parameters include a set of vectors of a 
given vector space. In another embodiment these parame- 
ters include, besides a set of vectors of a given vector 
space, a set of polynomial or rational automorphisms of 
this vector space. The encryption and decryption tech- 
niques are mutually symmetric and require the same time, 
amount of memory, and computational power. Therefore, 



the same device can work both as the encryption and the 
decryption device. Only the outer component of the key 
determines in which mode, i.e., encryption or decryption, 
the device is currently working. Namely, the outer compo- 
nent of the key used for encryption a message can be 
transmitted along with the encrypted message so that the 
receiving device uses this public component as the public 
component of the decryption key. The present invention 
allows the internal parameters be chosen essentially at 
random from a large set of vectors. If the cryptosystem 
has m internal parameters each of which is a vector in the 
n-dimensional vector space V over the field of real num- 
bers and the total size of the internal parameters is / bi- 
nary bits, the security level is at least 
[0007] 2 l -(l- l)\/[(n-m - 1)!(Z - n-m)\ 

[0008] (Actually the security level is much higher because the 

size / can be arbitrarily big and not public.) For example, if 
there are 4 private internal parameters that occupy 128 
bits and belong to the 3-dimensional real vector space, 

128 50 

the security level of the cryptosystem is at least 2 -2 
= 2 178 . 

[0009] The creation of an encryption transformation (from the 

space of plaintexts to the space of ciphertexts) requires a 



choice of both an outer component and an inner compo- 
nent. Because of this the decryption transformation (from 
the space of ciphertexts to the space of plaintexts) cannot 
be reconstructed based solely on the outer component. 
Moreover, the continuous nature of the inner component 
leaves no chance to reconstruct it even in the case when 
both the outer component of the key and the ciphertext 
are publicly available. Even if, in addition to the outer 
component and the ciphertext, the plaintext is also pub- 
licly available, it is still impossible to reconstruct the inner 
component. 

[0010] The outer components of keys of the cryptosystem of the 
present invention serve as the generators of both the en- 
cryption and decryption keys. In particular, the cryptosys- 
tem proposed by the present invention does not require 
the recipient of messages to communicate the outer com- 
ponent of the encryption key to the sender. In one em- 
bodiment, this outer component may be generated solely 
by the sender and sent to the recipient along with the en- 
crypted message. In one embodiment, the outer compo- 
nent of the key can be attached as an initial segment of 
the transmitted message. In another embodiment, this 
outer component may be embedded in the encrypted 



message at equal distances between the digits of the 
message. 

[001 1] An important feature of the cryptosystem hereof is a dy- 
namic and highly secure update of encryption and decryp- 
tion keys. The security of the keys is guaranteed by the 
fact that their update proceeds without exchange of the 
new keys between communicating parties. Instead of such 
an exchange, the outer component of the encryption key, 
as embedded into the transmitted message, determines a 
new decryption key, which, in its turn, triggers the gener- 
ation of a new decryption transformation. This update 
does not require any change in the inner component. Ac- 
tually, any transmitted message may trigger a new de- 
cryption key generation. Therefore, the cryptosystem of 
the present invention overcomes a serious disadvantage 
of major private key cryptosystems: in such private key 
cryptosystems as DES or AES the encryption key does not 
change over a certain period of time, which fact encour- 
ages attacks against the cryptosystem. Unlike this, each 
time as the outer component is changed the cryptosystem 
hereof generates a new encryption transformation. 

[0012] | n one embodiment the outer component of the key is a 
sequence of positive integers. This sequence may be gen- 



erated at random by using any distribution of the first m 
natural numbers. The security of the symmetric cryp- 
tosystem of the present invention comes from the built-in 
geometric continuity of plaintexts and ciphertexts as 
points of vector spaces as well as from the continuity of 
the inner components of encryption/decryption keys. In 
other words, security of the proposed cryptosystem is 
guaranteed by the obvious mathematical fact that there 
are potentially uncountably many geometric transforma- 
tions of a given vector space. 
[0013] An embodiment of the invention is in the form of a 

method for encryption and decryption a digital message 
M, comprising the following steps: producing a module V 
over a ring R; producing an outer component P of the en- 
cryption key that includes sequence (p , p , ... , p ) where 

12k 

each member p^ of the sequence belongs to the set {1, 2, 
... , m) (the length k of the sequence is arbitrary and thus 
repetitions are allowed in the sequence); producing an in- 
ner component Q of the encryption key that includes ele- 
ments v , v , ... , v of V and automorphisms g , g , ... , g 

12m 12m 

of V; producing the encryption key K = (P; Q), where P is 
the outer component and Q is the inner component; pro- 
ducing an encryption automorphism T of V based on the 



encryption key K, where T includes a composition of cer- 

e 

tain automorphisms T J , ... ,T of the module V which 

12 m 

composition is performed in the order prescribed by P; 
producing an encrypted message element E as a function 
of a message element M in V and of the encryption auto- 
morphism T ; transmitting the encrypted message ele- 

e 

ment E along with the outer component P from one user 
to another; producing the outer component P' of the de- 
cryption key that includes sequence (p , p , ... , p ), i.e., 

k k-l 1 

the sequence reversed of that involved in producing the 
outer component P of the encryption key; producing the 
decryption key K 1 = (P'; Q'), where P' is the outer compo- 
nent of the decryption key and Q' is the inner component 
of the decryption key which is equal to the inner compo- 
nent Q of the encryption key; producing a decryption au- 
tomorphism T of V based on the decryption key K\ where 

d 

T d includes a composition of the automorphisms T , T , ... 
, T , which composition is performed in the order pre- 

m 

scribed by P\ e.g., T is the inverse automorphism of T ; 

d e 

determining the message element M as a function of the 
encrypted message element E and of the decryption auto- 
morphism T , where the function is the same as that one 
used in generation of E (that is, the decryption method is 



symmetric to encryption: the decryption proceeds as the 
encryption, but with replacement of the outer component 
P with the outer component P'). 
[0014] Further features and advantages of the invention will be- 
come more readily apparent from the following detailed 
description when taken in conjunction with the accompa- 
nying drawings. 
Brief Description of Drawings 

[0015] FIG. 1 is a block diagram of a system that can be used in 
practicing embodiments of the invention. 

[0016] FIG. 2 is a flow diagram of a symmetric encryption system 
which, when taken with the subsidiary flow diagrams re- 
ferred to therein, can be used in implementing embodi- 
ments of the invention. 

[0017] FIG. 3 is a flow diagram of a routine, in accordance with 
an embodiment of the invention, for generating outer 
component of the encryption key. 

[0018] FIG. 4 is a flow diagram of a routine, in accordance with 
an embodiment of the invention, for generating the inner 
component of the encryption key using the outer compo- 
nent. 

[0019] FIG. 5 is a flow diagram in accordance with an embodi- 
ment of the invention, for encryption a message using the 



inner component of the encryption key. 
[0020] FIG. 6 is a flow diagram of a routine, in accordance with 
an embodiment of the invention, for generating the inner 
component of the decryption key using the outer compo- 
nent. 

[0021] FIG. 7 is a flow diagram in accordance with an embodi- 
ment of the invention, for decryption a message using the 
inner component of the encryption key. 

[0022] FIG. 8 is a flow diagram of a routine, in accordance with 
another embodiment of the invention, for generating the 
inner component of the encryption key using the outer 
component. 

[0023] FIG. 9 is a flow diagram in accordance with another em- 
bodiment of the invention, for generating the inner com- 
ponent of the decryption key using the outer component. 
Detailed Description 

[0024] FIG. 1 is a block diagram of a system that can be used in 
practicing embodiments of the invention. Two processor- 
based subsystems 101 and 151 are shown as being in 
communication over an insecure channel 100, which may 
be, for example, any wired or wireless communication 
channel such as a telephone or internet communication 
channel. The subsystem 101 includes processor 102 and 



the subsystem 151 includes processor 152. When pro- 
grammed in the manner to be described, the processors 
102 and 152 and their associated circuits can be used to 
implement an embodiment of the invention and to prac- 
tice an embodiment of the method of the invention. The 
processors 102 and 152 may each be any suitable proces- 
sor, for example an electronic digital processor or micro- 
processor. It will be understood that any general purpose 
or special purpose processor, or other machine or cir- 
cuitry that can perform the functions described herein, 
electronically, optically, or by other means, can be uti- 
lized. The processors may be, for example, Intel Pentium 
processors. The subsystem 101 will typically include 
memories 103, clock and timing circuitry 104, input/ 
output functions 105 and monitor 106, which may all be 
of conventional types. Inputs can include a keyboard input 
as represented at 107. Communication is via transceiver 
108, which may comprise a modem or any suitable device 
for communicating signals. The subsystem 151 in this il- 
lustrative embodiment can have a similar configuration to 
that of subsystem 101. The processor 152 has associated 
input/output circuitry 155, memories 153, clock and tim- 
ing circuitry 154, and a monitor 156. Inputs include a 



keyboard 157. Communication of subsystem 151 with the 
outside world is via transceiver 158 which, again, may 
comprise a modem or any suitable device for communi- 
cating signals. 

[0025] The encryption and decryption techniques of an embodi- 
ment of the symmetric cryptosystem hereof use a cryp- 
tosystem based on an action of the infinite group on a 
vector space. The security of the symmetric cryptosystem 
of the present invention hereof comes from the built-in 
geometric continuity of plaintexts and ciphertexts as 
points of vector spaces as well as from the continuity of 
the inner component of encryption/decryption keys per- 
forming transformations between plaintexts and cipher- 
texts. In other words, security of the proposed cryptosys- 
tem is guaranteed by the obvious mathematical fact that 
there are potentially uncountably many geometric trans- 
formations of a given vector space. 

[0026] The cryptosystem hereof is essentially a private key sym- 
metric cryptosystem because both decryption and encryp- 
tion keys are of the similar structure and are not publicly 
available. Another similarity is that in the cryptosystem 
hereof formation of both encryption and decryption keys 
depends on fixed secret internal parameters. However, 



unlike in major private key symmetric cryptosystems like 
DES or AES there are in the cryptosystem hereof many dif- 
ferent encryption/decryption keys corresponding to a 
chosen set of secret parameters. Namely, generation of a 
particular encryption/decryption key in the cryptosystem 
of the present invention depends, besides the fixed secret 
parameters, on a choice of certain publicly available data, 
which data is referred to as outer component. Another 
difference between the cryptosystem of the present inven- 
tion and major private key cryptosystems is that the cryp- 
tosystem hereof requires neither sharing nor storing of 
encryption and decryption keys. In the cryptosystem 
hereof each message can be encrypted by its own encryp- 
tion key independently of other messages. Each decryp- 
tion key can be created upon receiving an encrypted mes- 
sage and does not have to be stored after the message 
has been decrypted. Thus the dynamic generation of en- 
cryption and decryption keys in the present invention 
eliminates the disadvantage of the major private key cryp- 
tosystems (like DES or AES) caused by the necessity of pe- 
riodic change of the keys. Moreover, the present invention 
turns this disadvantage into a most efficient and attractive 
feature of the proposed cryptosystem. After a set of secret 



internal parameters has been chosen, the encryption key 
depends entirely on the publicly available data, i.e., the 
outer component. However, this encryption key is not 
public itself and the publicly available data do not neces- 
sarily come from the potential recipient of the message. 
Moreover, the decryption key of the present invention 
does not have to be an exclusive property of the potential 
recipient of the message. Knowledge of the outer compo- 
nent does not allow for constructing an encryption key 
unless the secret internal parameters of the cryptosystem 
are available. Thus, construction or reconstruction of any 
key in the cryptosystem hereof requires both a set of se- 
cret internal parameters and an outer component. The 
same outer component is used for constructing both en- 
cryption and decryption keys. 
[0027] so far there is no literature describing cryptosystem em- 
bodying a geometric principle underlying the system 
hereof. Apparently an approach that is the closest to the 
present invention is developed in U.S. Pat. No. 5,740,250 
entitledTAME AUTOMORPHISMPUBLIC KEY SYSTEM by Moh. 
The idea of using polynomial automorphisms in cryptog- 
raphy was developed in the patent. However, this is per- 
haps the only similarity because the Moh"s patent ad- 



dresses only the public key cryptosystem. 
[0028] An embodiment of the cryptosystem hereof deals with the 
^-dimensional vector space V over the field of real num- 
bers and a bilinear form L on V. A vector x in V can be 
written as an n-tuple of real numbers: x = [x , x , ... , x 
]. A bilinear form can be written as 

n 

[0029] |_( Xjy ) = Zz . x ay 

ij i j 

[0030] where the summation is over all pairs (i j) such that l<i ,j< 
n, and all / are real numbers. The embodiment of the 

ij 

cryptosystem hereof depends on discrete parameters n 
and m, which are positive integers, and the set of continu- 
ous parameters: any vectors v , v , ... , v of V. In an em- 

12 m 

bodiment the coordinates of the vectors of the cryptosys- 
tem hereof are presented by decimal real numbers having 
totally / decimal digits (therefore, the average number of 
digits in each coordinate is l/(n-m) ). Therefore, the secu- 
rity level of the cryptosystem hereof is measured as the 
number of all such sets of parameters, i.e., 
[0031] 10 Z .(Z- l)!/[(n-m- 1)!(Z - n-m)\]. 

[0032] For example, if n = 3, m = 4, / = 72, the security level is 
measured as 

[0033] io 72 -(72 - l)!/[(3- 4 - 1)! (72 - 3-4)!] « 2.5- 10 84 



[0034] (Actually the security level is much higher because the to- 
tal number / of the digits can be arbitrarily big and is not 
public.) The following is an example of an embodiment in 
accordance with the invention of a symmetric key cryp- 
tosystem. The small numbers n = 3, m = 4, /< 24 are used 
for ease of illustration, however, even with these small 
numbers the cryptosystem hereof is still cryptographically 

30 

secure. Its security level is measured as at least 1.3-10 « 
2 100 . In creating a symmetric cryptosystem in accordance 
with an embodiment hereof (and with the previously indi- 
cated small numbers for ease of illustration), a first step is 
to choose integer parameters m, n. Take, for example n = 
3, m = 4. Next, the bilinear form L is chosen to be the 

3 

standard Euclidean dot product on V = R , that is, 

[0035] |_(v y) = x -y + x -y + x -y 

1 ' 1 2 ; 2 3 3 

[0036] f or aii x anc | y in R . Some sequence of vectors v , v , v , v 

7 1 2 3 4 

is chosen as follows: v i =[l,21,31], v^= [2,30,40], v 3 = 
[3,40,50], v = [4,50,6]. A plaintext message, for example, 

4 

3 

is the vector x = [4,5,6] of R . Then: 
[0037] L(Xj v ) = 295, L(x, v ) = 398, L(x, v ) = 512, L(x, v ) = 

12 3 4 

302. 

[0038] Furthermore, 



[0039] |_(v , v ) = 1403, L(v , v ) = 2504, L(v , v ) = 4109, L(v , v 

1 1 2 2 3 3 4 

) = 2552. 

4 

[0040] Therefore, 

[0041] S (x) = [4,5,6] - 2-(295/1403)-[l,21,31] = [3.579472559, 

-3.831076265, -7.036350677] 
[OO 42 ] S (x) = [4,5,6] - 2-(398/2504)-[2, 30,40] = [3.364217252, 

-4.536741214, -6.715654952] 
[0043] S (x) = [4,5,6] - 2-(512/4109)-[3,40,50] = [3.25237284, 

-4.968362132, -6.460452665] 

[0044] s (x) = [4,5,6] - 2-(302/2552)-[4,50,6] = [3.053291536, 
4 

- 6.8338558, 4.579937304] 

[0045] The above fractional numbers are computed with the pre- 
cision of nine decimal places after the dot. In this example 
the numbers will be rounded up to two decimal places af- 
ter the dot, that is, 

[0046] Si (x) = [3.58, - 3.83, - 7.04], 

[0047] S 2 (x) = [3.36, - 4.54, - 6.72], 
[0048] S (x) = [3.25. - 4.97, - 6.46], 

[0049] S (x) = [3.05, - 6.83, 4.58]. 

4 

[0050] To implement the cryptosystem of this example, the user 
of the processor-based system 101, call her Alice, decides 



to send a message to the user of the processor-based 
system 151, call him Bob. [It is assumed in this example 
that the processor-based systems 101 and 151 share the 
secret (i.e., available only to Alice and Bob) parameters v , 

V 2' V 3' V 4 anc ' t ' ie ( non-secret ) standard dot-product L on 
V, defined as above]. Suppose that Alice [or the proces- 
sor-based system 101] chooses k = 8 and a sequence P of 
k integers: P = (1, 2, 3, 4, 1, 2, 3, 4) as the outer compo- 
nent of the encryption key [the restrictions on P in this 

example are that p * p for j = 1, 2, k-1, and all p 

j j+i j 

are between 1 and 4; therefore, P can be chosen essen- 
tially at random within these limits]. Thus the encryption 
key K = (P, Q) is created, where Q is the inner component 
comprised of the parameters v , v^, v^, v . Based on this 
encryption key K, the processor-based system 101 cre- 
ates the encryption automorphism T . This T is an auto- 

e e 

morphism of the space V defined by the formula 

[0051] j = s °S °S °S °S °S °S °S , 

e 12341234 

[0052] where the reflections S , S , S , S are as above. For ex- 

1 2 3 4 

ample, suppose that Alice wants to send to Bob the mes- 
sage M = x = [4,5,6]. The processor-based system 101 
encrypts this message using the constructed above en- 
cryption automorphism T . The processor-based systems 

e 



101 applies the encryption automorphism T to M and 

e 

thus creates the encrypted message E given by 

[0053] E = T (M) = [3.435583316, - 4.617835082, - 

e 

6.623621852]. 

[0054] The above fractional numbers are computed with the pre- 
cision of nine decimal places after the dot. In this example 
the numbers comprising E are rounded up to two decimal 
places after the dot, that is, E is replaced by E , where 

round 

[0055] E = [ 3 . 44j _ 4 . 62j - 6.62]. 

round 

[0056] Then transceiver 108 sends the pair 

[0057] ( P; E ) = (i, 2 , 3, 4, 1, 2, 3, 4; [3.44, - 4.62, - 6.62]) 

round 

[0058] to the processor-based system 151. In the next part of 
the example, decryption of the received message is de- 
scribed. In order to decrypt the received message (P; E 

), the processor-based system 151 creates the de- 
round 

cryption key K' = (P';Q), where P' = (4,3,2,1,4,3,2,1), that 
is, P' is the reversed P, and Q is the inner component as 
above. Based on this decryption key K' the processor- 
based system 151 creates the decryption automorphism T 

( 

of the vector space V given by 
[0059] t = S °S °S °S °S °S °S °S 

d 43214321 

[0060] The processor-based system 151 decrypts the received 



message E by applying the automorphism T : 

round d 

[0061] M = t (E ) = [4.004794621, 5.000831229, 

approx d round 

5.99630786]. 

[0062] The above fractional numbers are computed with the pre- 
cision of nine decimal places after the dot. In this example 
processor-based system 151 rounds up these numbers to 
the closest integers, that is, it replaces M by M , 

approx round 

where M = [4,5,6]. This is the original message M. 

round 

The fact that the coordinates of the decrypted message M 

approx 

are sufficiently close to integers [that is, the distances be- 
tween the coordinates and the closest integers are less 
than 0.01] indicates that there has not been any error 
during transmission of the message (P; E ). Therefore, 

round 

the cryptosystem of the present invention can also be 
used for detecting errors of transmission. 
[0063] | n a further embodiment of the invention the reflections S 

i 

will be replaced by the twisted eflections T in order to 
further enhance the security level of the proposed cryp- 
tosystem. A twisted reflections embodiment of the cryp- 
tosystem hereof works in the n-dimensional vector space 
V over the field of real numbers and a bilinear form L on 
V. A vector x in V can be written as an n-tuple of real 
numbers: 



[0064] X =[ X x .... ,X ]. 

12 n 

[0065] a bilinear form can be written as 

[0066] |_( Xjy ) = 1 i . x .y 

■J i j 

[0067] where the summation is over all pairs (i j) such that l<i ,j< 
n, and all / are real numbers. The embodiment of the 

ij 

cryptosystem hereof depends on discrete parameters n 
and m, which are positive integers, and two sets of con- 
tinuous parameters: any vectors v , v , ... , v of V and 

12 m 

polynomial or (everywhere defined) rational automor- 
phisms g , g , ... , g of V. In an embodiment the coordi- 

12 m 

nates of the vectors of the cryptosystem hereof are pre- 
sented by decimal real numbers having totally / decimal 
digits (therefore, the average number of digits in each co- 
ordinate is l/(n-m). Therefore, the security level of the 
cryptosystem hereof provided by the first set of parame- 
ters alone is measured as the number of all such sets of 
vectors, i.e., 
[0068] 10 Z .(Z- l)!/[(n-m- 1)!(Z - n-m)\]. 

[0069] For example, if n = 3, m = 4, / = 72, the security level is 
measured as 

[0070] io 72 -(72 - l)!/[(3-4 - 1)!(72 - 3-4)!] s 2.5- 10 84 . 



[0071] (Actually the security level is much higher because the to- 
tal number / of the digits is arbitrary big and not public.) 
In one embodiment when the polynomial or rational auto- 
morphisms g ,g , ... ,g are not public, they additionally 

12 m 

enhance the security level of the cryptosystem. In another 
embodiment when the polynomial or rational automor- 
phisms g , g , ... , g are public, their contribution to se- 

12 m 

curity consists of an additional defense against attacks on 
transmitted messages. More precisely, it is much harder 
to reconstruct the decryption automorphism T that is a 

d 

non-linear (e.g., polynomial or rational) transformation of 
V than the decryption automorphism that is a linear trans- 
formation of V, i.e., an automorphism that is a matrix. 
[0072] -rh e following is an example of an embodiment in accor- 
dance with the invention of a symmetric cryptosystem. 
The small numbers n = 3, m = 4, /< 24 are used for ease 
of illustration, however, even with these small numbers 
the cryptosystem hereof is still cryptographically secure. 
The automorphisms g , g 2> g 3> are considered public. 
Thus, in this example, the security level is measured as 
1.3-10 30 »2 100 . In creating a symmetric cryptosystem in 
accordance with an embodiment hereof (and with the pre- 
viously indicated small numbers for ease of illustration), a 



first step is to choose integer parameters m, n. Take, for 
example n = 3, m = 4. Next, the bilinear form L is chosen 

3 

to be the standard Euclidean dot product on V = R , that 
is, 

[0073] |_(y y) = x -y + x -y + x -y 

7 1 7 1 2 7 2 3 3 

[0074] f or aii x anc | y j n R . Some sequence of vectors v , v , v , v 

' 1 2 3 4 

is chosen as follows: v i =[l,21,31], v 2 = [2,30,40], v 3 = 
[3,40,50], v = [4,50,6]. And some second set of continu- 

4 

ous parameters, i.e., the set of four automorphisms g , g 
, g 3 , g 4 , is chosen as follows: 
[° 075 ] 9^, x 2 , x 3 ]) = [x^ x 2 , x 3 ], 

[0076] g ([ X x x ]) = [ X x x ] 
2 1 2 3 1 2 3 

[0077] g ([ X , X , X ]) = [X , X , X ], 
a 3 1 2 3 1 2 3 

[0078] g^x^ x 2 , x 3 ]) = [x^ x 2 + f(x x ), x 3 ] , where 

[0079] f (x ) = (2x 3 +7x 2 + 3x +10)/(3x 2 +5) . 
11 1 1 1 

[0080] Then the twisted reflections T , T , T , T are defined as 

1 2 3 4 

above by: 

[0081] T = g °S °g _1 , T = g °S °g ~\ T = g °S °g ~\ T = g 

1 3 1 1 3 1 2 ^2 2^2 3 3 3 3 3 3 4 3 

°S °g ~\ 

4 4 3 4 

[0082] | n this example T = S,T = S,T = S , but T * S .A 

^ 1 1 2 2 3 3 4 4 

plaintext message, for example, is the vector x = [4, 5, 6] 



3 

of the vector space R . Then: 
[0083] L(Xj v ) = 295, L(x, v ) = 398, L(x, v ) = 512, L(x, v ) = 

12 3 4 

302. 

[0084] Furthermore, 

[0085] L(v , v ) = 1403, L(v , v ) = 2504, L(v , v ) = 4109, L(v , v 

1 1 2 2 3 3 4 

) = 2552. 

4 

[0086] Therefore, 

[0087] T (X) = S 
1 

(x)=[4,5,6]-2-(295/1403)-[l,21,31] = [3. 579472559,-3. 8 

^1076265,-7.036350677] 
[0088] T 2 ( X ) = s 2 ( x ) = [4,5,6] -2-(398/2504)-[2, 30,40] = 

[3.364217252, - 4.536741214, -6.715654952] 
[0089] T 3 (x)=S 3 (x) = [4,5,6] -2-(512/4109)-[3,40,50] = 

[3.25237284, - 4.968362132, - 6.460452665] 
[0090] S (x) = [4,5,6]-2-(302/2552)-[4,50,6] = [3.053291536, - 

4 

6.8338558, 4.579937304] 
[0091] g ( X ) = [ 4j 9.943396227, 6] 

[0092] g ^(x) = [4, 0.056603774, 6] 

4 

[0093] S (g _1 (x)) = [3.828118531, -2.091914592, 

4 4 

5.742177796] 

[0094] T (x) = g (S (g _1 (x))) = [3.828118531, 2.733397735, 

4 4 4 4 

5.742177796] 



[0095] The above fractional numbers are computed with the pre- 
cision of nine decimal places after the dot. In this example 
the numbers will be rounded up to two decimal places af- 
ter the dot, that is, 

[0096] T (x) = Si (x) = [3.58, - 3.83, - 7.04], 

[0097] T 2 ( X ) = s (x) = [ 3 . 36j _ 4 . 54j _ 6 . 72]j 
[0098] T 3 ( X ) = s 3 (x) = [3.25, - 4.97, - 6.46], 
[0099] S (x) = [3.05, - 6.83, 4.58], 

4 

[0100] g 4 ( x) = [4i 9.94, 6]> 
[0101] g -\ X ) = [4> 0.06, 6], 

4 

[0102] s (g _1 (x)) = [3.83, -2.09, 5.74], 

4 4 

[0103] t (x) = g(S fa ~\x))) = [3.83, 2.73, 5.74]. 

4 4 4 4 

[0104] jo implement the key creation of this example, the user 
of the processor-based system 101, call her Alice, decides 
to send a message to the user of the processor-based 
system 151, call him Bob. [It is assumed in this example 
that the processor-based systems 101 and 151 share the 
secret (i.e., available only to Alice and Bob) first set of pa- 
rameters v , v , v , v , the (non-secret) standard dot 

1 2 3 4 

product L on V, defined as above, and the (non-secret) 



second set of parameters g^ g^ g^ g^.] Suppose that Al- 
ice [or the processor-based system 101] chooses k = 8 
and a sequence P of k integers: P = (1, 2, 3, 4, 1, 2, 3, 4) 
as the outer component of the encryption key [the restric- 
tions on P in this example are that p * p for j = 1, 2, 

j j +i J 

k-1, and all p are between 1 and 4; therefore, P can be 

j 

chosen essentially at random within these limits]. Thus 
the encryption key K = (P, Q) is created, where Q is the in- 
ner component comprised of the parameters v , v , v , 
and g , g^, g^, g^ . Based on this encryption key K, the 
processor-based system 101 creates the encryption auto- 
morphism T . This T is an automorphism of the space V 

e e 

defined by the formula 

[0105] j = T °T °T °T °T °T °T °T , 

e 12341234 

[0106] where T , T , T , T are twisted reflections, as defined 

l' 2' 3 4 

above. For example, suppose that Alice wants to send to 
Bob the message M = x = [4,5,6]. The processor-based 
system 101 encrypts this message using the constructed 
above encryption automorphism T . The processor-based 

e 

systems 101 applies T to M and thus creates the en- 

e 

crypted message E given by 

[0107] E =T ( M ) = [4.42453245, 6.72134463, - 13.76860997]. 

e 



[0108] The above fractional numbers are computed with the pre- 
cision of eight decimal places after the dot. In this exam- 
ple the numbers comprising E are rounded up to two dec- 
imal places after the dot, that is, E is replaced by E , 

round 

where E = [4.42, 6.72, - 13.77]. Then transceiver 108 

round 

sends the pair 

[0109] (p ; E ) = (1, 2, 3, 4, 1, 2, 3, 4; [4.42, 6.72, - 13.77]) 

round 

[° 11 °] In the next part of the example, decryption of the received 
message is described. In order to decrypt the received 
message (P; E ), the processor-based system 151 cre- 

round 

ates the decryption key K' = (P';Q), where P" = 
(4,3,2,1,4,3,2,1), that is, P' is the reversed P, and Q is the 
inner component as above. Based on this decryption key 
K' the processor-based system 151 creates the decryption 
automorphism T of the vector space V given by 

d 

[0111] t = T °T °T °T °T °T °T °T . 

d 43214321 

[0112] The processor-based system 151 decrypts the received 
message E by applying the decryption automorphism 

round 

T : 

d 

[0113] M =T(E ) = [3.99511743, 4.99555740, 

approx d round 

6.00656969]. 

[0114] The above fractional numbers are computed with the pre- 



cision of eight decimal places after the dot. In this exam- 
ple processor-based system 151 rounds up these num- 
bers to the closest integers, that is, it replaces M by 

approx 

the vector M , where M = [4,5,6]. This is the origi- 

round round 

nal message M. The fact that the coordinates of the de- 
crypted message M are sufficiently close to integers 

approx 

[that is, the distances between the coordinates and the 
closest integers are less than 0.01] indicates that there 
have not been any errors during transmission of the mes- 
sage (P; E ). Therefore, the cryptosystem of the 

round 

present invention can also be used for detecting errors of 
transmission. 

15 ] FIG. 2 illustrates a basic procedure that can be utilized 
with a symmetric encryption system, and refers to rou- 
tines illustrated by other referenced flow diagrams which 
describe features in accordance with an embodiment of 
the invention. The block 201 represents the generating of 
the outer component of the encryption key. The routine of 
an embodiment hereof is described in conjunction with 
the flow diagram of FIG. 3. In the present example, it can 
be assumed that this operation is performed at the pro- 
cessor-based system 101. The outer component informa- 
tion can be published. For example, "publishing" of the 



outer component information can be performed by the 
sender of the encrypted message. In particular, the outer 
component information can be transmitted by the sender 
of the encrypted message along with the message. Typi- 
cally, although not necessarily, each transmitted message 
has its own outer component of the key that is generated 
by the sender. In the present example, it is assumed that 
the user of the processor-based system 101 wants to 
send a confidential message to the user of processor- 
based system 151, and that the user of processor-based 
system 101 can generate this outer component of the key 
within processor-based system 101. The block 202 repre- 
sents the routine that can be used by the message sender 
(that is, in this example, the user of processor-based sys- 
tem 101) to generate inner component of the encryption 
key and the corresponding encryption automorphism. 
This routine, for an embodiment of the invention, is de- 
scribed in conjunction with the flow diagram of FIG. 4. 
The block 203 represents the routine that can be used by 
the message sender (that is, in this example, the user of 
processor-based system 101) to encrypt the plaintext 
message using the encryption automorphism. This rou- 
tine, in accordance with an embodiment of the invention, 



is described in conjunction with the flow diagram of FIG. 
5. The encrypted message is then transmitted over the 
channel 100 (FIG. 1). The block 204 represents the routine 
that can be used by the message recipient (that is, in this 
example, the user of processor-based system 151) to 
generate the decryption automorphism using the decryp- 
tion key that, in its turn, is produced based on the outer 
component generated in the block 201 and the inner 
component generated in the block 202. The decryption 
automorphism generating routine, for an embodiment of 
the invention, is described in conjunction with the flow di- 
agram of FIG. 6. The block 205 of FIG. 2 represents the 
routine for the decryption of the encrypted message to 
recover the plaintext message. In the present example, 
this function is performed by the user of the processor- 
based system 151, who employs the decryption automor- 
phism generated in the block 204. The decryption routine, 
for an embodiment of the invention, is described in con- 
junction with the flow diagram of FIG. 7. 
16 ] FIG. 3 represents generation of the outer component of 
the encryption key. First, the length k of the outer compo- 
nent is chosen in the block 301. Then the outer compo- 
nent P is generated in the block 302: P is a sequence (p , 



P 2 , ... , p k ) of length k each member p^ of which is an inte- 
ger between 1 and m [where m is the size of the set of in- 
ternal parameters]. P is generated at random in such a 

way that p*p for j = l, 2, ... , k-1. 

j j +1 

17 ] Referring now to FIG. 4, there is shown a flow diagram of 
the routine, as represented generally by the block 202 of 
FIG. 2, for generating the inner component of encryption 
key and the corresponding encryption automorphism T . 

e 

The routine can be utilized, in the present example, for 
programming the processor 102 of the processor-based 
system 101. The block 401 represents the choosing of a 
positive integer n. As first described above, n determines 
the dimension of the vector space V over the field of real 
numbers. The block 402 represents the generation of L, 
which is the bilinear form on the n-dimensional vector 
space V. In the simplified example above, L was a stan- 
dard Euclidean dot product on V. Next, the block 403 rep- 
resents the choosing at random vectors v , v , ... , v . 

12 m 

These vectors serve as internal parameters of the cryp- 
tosystem and, in this embodiment they comprise the inner 
component Q of the encryption key. The coordinates of 
the vectors may, for example, be chosen using a random 
number generator, which can be implemented, in known 



fashion, using available hardware or software. In the 
present embodiment, each of the processor-based sys- 
tems is provided with a random number generator, desig- 
nated by the blocks 109 and 159 respectively, in FIG. 1. 
The block 404 represents computation of the squares of 
the vectors v , v , ... , v with respect to the bilinear form 

12 m 

L . If L(v , v ) = 0 for at least one index p, the block 403 is 
p p 

re-entered, and a new corresponding vector v^ is chosen. 
The loop 405 is continued until all the squares become 
non-zero. [The probability of emerging a square equal 0 
is extremely low. Moreover, if L is a standard Euclidean 
dot product, each non-zero vector of V has a positive 
(hence, non-zero) square with respect to the dot product 
and, therefore, the loop 405 does not take place.] The 
block 406 is then entered, this block is representing the 
generation of reflections S , S , ... , S relative to the 

12 m 

vectors v x > v 2 > ■■■ > v m respectively according to 

[0118] S (x) = x - [2L(x,v ) / L(v , v )]-v 
p p p p p 

[0119] f or p=i,2, ... , m as first described above. The block 407 

represents construction of the encryption automorphism T^ 
by multiplying reflections S , S , ... , S in the order pre- 

12m 

scribed by the outer component P = (p , p , p ), in ac- 

12 k 

cordance with 



[0120] T =S °S °...°S 

e pi p2 pk 

[° 121 ] as first described above [that is, T is obtained by multi- 

e 

plying the reflections S , S , ... , S in the order prescribed 

12 m 

by the outer component P = (p , p , ... , p ) .] 

12 k 

[0122] FIG. 5 is a flow diagram, represented generally by the 

block 203 of FIG. 2, of a routine for programming a pro- 
cessor, such as the processor 102 of the processor-based 
system 101 (FIG. 1) to implement encryption of a plaintext 
message M. The message to be encrypted is input (block 
501). The encrypted message, E, can then be computed 
(block 502) as E = T (M), where T is the encryption auto- 

e e 

morphism constructed in the block 407 of FIG. 4. The en- 
crypted message can be transmitted (block 503) over 
channel 100 to the recipient who, in the present example, 
is the user of the processor-based system 151. 
[0123] FIG. 6 is a flow diagram of the routine, as represented 
generally by the block 204 of FIG. 2, for generating the 
decryption automorphism. The routine can be utilized, in 
the present example, for programming the processor 152 
of the processor-based system 151. It can be assumed in 
the present example that, prior to receiving the message, 
the recipient of the message possesses the parameters of 
the cryptosystem: the vector space V, the bilinear form L, 



and a set of internal parameters: the vectors v , v , ... , v 

12 m 

that, in the present embodiment, comprise the inner com- 
ponent Q. [In particular, the set of private parameters v , v 
, v can be communicated to the recipient over a se- 

2 m 

cure channel of communication.] The block 601 repre- 
sents inputting the parameters [that is, V, L, and v , v 2> ... 
, v ] into the processor-based system 151. The block 602 

m 

is then entered, this block represents the generation of 
reflections S , S , ... , S relative to the vectors v , v , ... , 

l' 2 m l' 2' 

v respectively according to 

m 

[O 124 ] S W = x - [2L(x,v ) / L(v , v )]-v 
p p p p p 

[0125] for p= 1, 2, ... , m as first described above. The block 603 

represents construction of the decryption automorphism T 

d 

by multiplying reflections S , S , ... , S in the order op- 

12 m 

posite to that of the outer component P = (p , p , ... , p ), 

12 k 

in accordance with 

[0126] J =S S 0 S 

d pk p2 pi 

[0127] as fj rs t described above. [In other words, the construction 
of the decryption automorphism T proceeds in the same 

d 

way as the construction of the encryption automorphism T 

e 

but in the order prescribed by the sequence P' = (p , p , 

k k-1 

p i ) which is the reversed outer component P = (p , p 2 , 



■ p.)-] 

k 

[0128] FIG. 7 is a flow diagram, represented generally by the 

block 205 of FIG. 2, of a routine for programming a pro- 
cessor, such as the processor 152 of the processor-based 
system 151 (FIG. 1) to implement decryption of a received 
encrypted message E. The message E is received (block 
701). The decrypted message M can then be computed 
(block 702) as M = T (E), where T is the decryption auto- 

d d 

morphism constructed in the block 603 of FIG. 6. 
[0129] FIG's. 8 and 9 are flow diagrams relating to the above- 
described twisted reflections embodiment. FIG. 8 is a flow 
diagram of the routine, as represented generally by the 
block 202 of FIG. 2, for generating the inner component 
of encryption key and the corresponding encryption auto- 
morphism T . As above, the routine can be utilized, in the 

e 

present example, for programming the processor 102 of 
the processor-based system 101. The block 801 repre- 
sents the choosing of a positive integer n . As first de- 
scribed above, n determines the dimension of the vector 
space V over the field of real numbers. The block 802 
represents the generation of L, which is the bilinear form 
on the ^-dimensional vector space V. In the simplified ex- 
ample above, L was a standard Euclidean dot product on 



V. Next, the block 803 represents the choosing at random 
vectors v , v , ... , v . These vectors serve as the first set 

12 m 

of the internal parameters of the cryptosystem. The coor- 
dinates of the vectors may, for example, be chosen using 
a random number generator, which can be implemented, 
in known fashion, using available hardware or software. In 
the present embodiment, each of the processor-based 
systems is provided with a random number generator, 
designated by the blocks 109 and 159 respectively, in FIG. 
1. The block 804 represents computation of the squares 
of the vectors v , v , ... , v with respect to the bilinear 

12 m 

form L. If L(v , v ) = 0 for at least one index p, the block 
p p 

803 is re-entered, and a new corresponding vector v^ is 
chosen. The loop 805 is continued until all the squares 
become non-zero. [The probability of emerging a square 
equal 0 is extremely low. Moreover, if L is a standard Eu- 
clidean dot product, each non-zero vector of V has a pos- 
itive (hence, non-zero) square with respect to the dot 
product and, therefore, the loop 805 does not take place.] 
The block 806 is then entered, this block represents the 
generation of reflections S , S S relative to the vec- 

12 m 

tors v , v v respectively according to 

12m 

[0130] s (x) = x - [2L(x,v ) / L(v , v )]-v 
p p p p p 



[0131] f or p=i j 2, m as first described above. The block 807 
represents selection of a set of polynomial or rational au- 
tomorphisms g , g , ... , g of the vector space V. These 

12 m 

automorphisms serve as the second set of the internal pa- 
rameters of the cryptosystem. These automorphisms 
(along with the first set of internal parameters v , v , ... , v 

12 m 

) form the inner component Q of the encryption key. The 
automorphisms are chosen at random as compositions of 
linear automorphisms of V and the basic polynomial auto- 
morphisms of the form described above: 

[0132] g( x x x ) =( x , x + f (x ), x + f (x , x ),..., x 
1 2 n l' 2 1 1 3 2 1 2 ' n 

+ f (x .x ,...,X )), 
n-1 1.2 n-1 

[0133] where f : R J R for j = 1, 2, n-1 are rational maps. 

Each of the maps f is chosen recursively at random using, 
for example, a random number generator, which can be 
implemented, in known fashion, using available hardware 
or software. In the present embodiment, each of the pro- 
cessor-based systems is provided with a random number 
generator, designated by the blocks 109 and 159 respec- 
tively, in FIG. 1. The block 808 represents generation of 
the twisted reflections T , T , ... , T in accordance with T 

12 m 

=g ° S °g ~ for p = 1, 2, m. The block 809 repre- 
p p p p 

sents construction of the encryption automorphism T in 

e 



accordance with 

[0134] T =T ° T °...°T 

e pi p2 pk 

[0135] as fj rs t described above [that is, T is obtained by multi- 

e 

plying the twisted reflections T , T T in the order 

12 m 

prescribed by the outer component P = (p , p , p ) .] 

12 k 

[0136] FIG. 9 is a flow diagram of the routine, as represented 

generally by the block 204 of FIG. 2, for generating the 

decryption automorphism T of the present twisted re- 
el 

flections embodiment. The routine can be utilized, in the 
present example, for programming the processor 152 of 
the processor-based system 151. It can be assumed in 
the present example that, prior to receiving the message, 
the recipient of the message possesses the parameters of 
the cryptosystem: the vector space V, the bilinear form L, 
and two sets of internal parameters: the vectors v , v^, ... , 
v of V, and the polynomial or rational automorphisms g , 

m 1 

g , g of V. These two sets of parameters, in the 

2 m 

present embodiment, comprise the inner component Q. In 
one embodiment of the present example both the vectors 
v , v , ... , v and the automorphisms g , g , ... , g can 

12m 12m 

be considered private parameters. In another embodi- 
ment, only the vectors v , v , ... , v can be considered 

12m 

private, while the automorphisms g , g , ... , g can be 

12 m 



considered public parameters. [In particular, the private 
parameters v , v , ... , v can be communicated to the re- 

12 m 

cipient over a secure channel of communication.] In an- 
other embodiment, only the automorphisms g , g , ... , g 

12 m 

can be considered private, while the vectors v , v , ... , v 

12 m 

can be considered public parameters. The block 901 rep- 
resents inputting the parameters [that is, V, L, and v , v^, 
... , v ; g , g g ] into the processor-based system 

m 1 2 m 

151. The block 902 is then entered, this block represents 
the generation of reflections S , S , ... , S relative to vec- 

12 m 

tors v , v , ... , v respectively according to 

12 m 

[0137] S W = x - [2L(x,v ) / L(v , v )]-v 
p p p p p 

[0138] f or p = i j 2, ... , m as first described above. The block 903 

represents generation of the twisted reflections T , T , ... 

,T in accordance with T =g°S °g for p = 1, 2, ... 

m p p p p 

, m. The block 904 represents construction of decryption 
automorphism T by multiplying the twisted reflections T 

d 1 

, T , ... , T in the order opposite to that of the outer 

2 m 

component P = (p , p , p ), in accordance with 

12 k 

[0139] T =T o o-p oj 

d pk p2 pi 

[0140] which proceeds in the same way as the construction of the 

encryption automorphism T but in the order prescribed 

e 



by the sequence P' = (p k , p k , ... , p^ which is the re- 
versed outer component P = (p , p , p ).] 

12 k 

[0141] The invention has been described with reference to par- 
ticular preferred embodiments, but variations within the 
spirit and scope of the invention will occur to those skilled 
in the art. For example, it will be understood that the in- 
ternal parameters of the cryptosystem can be stored on 
any suitable media, for example a "smart card," which can 
be provided with a microprocessor capable of construct- 
ing encryption/decryption keys and performing encryp- 
tion/decryption processes, so that encrypted messages 
can be communicated to and/or from the smart card. 



